CVE-2003-1009
CVSS10.0
发布时间 :2004-03-29 00:00:00
修订时间 :2008-09-05 16:35:47
NMCOS    

[原文]Directory Services in Apple Mac OS X 10.0.2, 10.0.3, 10.2.8, 10.3.2 and Apple Mac OS X Server 10.2 through 10.3.2 accepts authentication server information from unknown LDAP or NetInfo sources as provided by a malicious DHCP server, which allows remote attackers to gain privileges.


[CNNVD]Apple MacOS X DHCP应答ROOT权限访问漏洞(CNNVD-200403-133)

        
        Mac OS X是一款使用在Mac机器上的操作系统,基于BSD系统。
        Mac OS X系统在处理DHCP应答时存在问题,远程攻击者可以利用这个漏洞以ROOT权限访问受影响系统。
        默认情况下,受此漏洞影响的Mac OS X系统会尝试在所有可用接口上进行DHCP协商。即使在Airport卡安装在系统上,但附近没有网络,也会默认关联任何网络并使用DHCP获得地址。如果可连接一DHCP或者NetInfo服务器,系统也会使用它们提供DHCP提供的字段。
        在受此漏洞影响的系统上"Directory Access"默认设置会盲目使用和信任这些服务器提供的DHCP字段,并且系统没有防止以uid 0的任何登录名的登录。比如,LDAP或NetInfo服务器上包含一个用户名为"bluemeanie", uid 0,系统会没有任何检查登录系统窗口,或者任何网络提供的房屋,如SSH。
        在多数情况下,Mac会需要启动到恶意环境来利用这个漏洞(Netinfod进程必须重新启动以使恶意服务器插入到其验证资源列表)。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.0.3Apple Mac OS X 10.0.3
cpe:/o:apple:mac_os_x_server:10.2.1Apple Mac OS X Server 10.2.1
cpe:/o:apple:mac_os_x_server:10.2.6Apple Mac OS X Server 10.2.6
cpe:/o:apple:mac_os_x:10.3.2Apple Mac OS X 10.3.2
cpe:/o:apple:mac_os_x:10.2.8Apple Mac OS X 10.2.8
cpe:/o:apple:mac_os_x_server:10.2.8Apple Mac OS X Server 10.2.8
cpe:/o:apple:mac_os_x_server:10.3.1Apple Mac OS X Server 10.3.1
cpe:/o:apple:mac_os_x_server:10.2.5Apple Mac OS X Server 10.2.5
cpe:/o:apple:mac_os_x_server:10.2Apple Mac OS X Server 10.2
cpe:/o:apple:mac_os_x_server:10.2.4Apple Mac OS X Server 10.2.4
cpe:/o:apple:mac_os_x_server:10.3.2Apple Mac OS X Server 10.3.2
cpe:/o:apple:mac_os_x:10.0.2Apple Mac OS X 10.0.2
cpe:/o:apple:mac_os_x_server:10.2.7Apple Mac OS X Server 10.2.7
cpe:/o:apple:mac_os_x_server:10.3Apple Mac OS X Server 10.3
cpe:/o:apple:mac_os_x_server:10.2.3Apple Mac OS X Server 10.2.3
cpe:/o:apple:mac_os_x_server:10.2.2Apple Mac OS X Server 10.2.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1009
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1009
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-133
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/13874
(VENDOR_ADVISORY)  XF  macos-dhcp-gain-privileges(13874)
http://docs.info.apple.com/article.html?artnum=61798
(VENDOR_ADVISORY)  CONFIRM  http://docs.info.apple.com/article.html?artnum=61798
http://www.securityfocus.com/bid/9110
(VENDOR_ADVISORY)  BID  9110
http://www.carrel.org/dhcp-vuln.html
(UNKNOWN)  MISC  http://www.carrel.org/dhcp-vuln.html
http://docs.info.apple.com/article.html?artnum=32478
(UNKNOWN)  MISC  http://docs.info.apple.com/article.html?artnum=32478

- 漏洞信息

Apple MacOS X DHCP应答ROOT权限访问漏洞
危急 配置错误
2004-03-29 00:00:00 2005-10-20 00:00:00
远程  
        
        Mac OS X是一款使用在Mac机器上的操作系统,基于BSD系统。
        Mac OS X系统在处理DHCP应答时存在问题,远程攻击者可以利用这个漏洞以ROOT权限访问受影响系统。
        默认情况下,受此漏洞影响的Mac OS X系统会尝试在所有可用接口上进行DHCP协商。即使在Airport卡安装在系统上,但附近没有网络,也会默认关联任何网络并使用DHCP获得地址。如果可连接一DHCP或者NetInfo服务器,系统也会使用它们提供DHCP提供的字段。
        在受此漏洞影响的系统上"Directory Access"默认设置会盲目使用和信任这些服务器提供的DHCP字段,并且系统没有防止以uid 0的任何登录名的登录。比如,LDAP或NetInfo服务器上包含一个用户名为"bluemeanie", uid 0,系统会没有任何检查登录系统窗口,或者任何网络提供的房屋,如SSH。
        在多数情况下,Mac会需要启动到恶意环境来利用这个漏洞(Netinfod进程必须重新启动以使恶意服务器插入到其验证资源列表)。
        

- 公告与补丁

        厂商补丁:
        Apple
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.apple.com

- 漏洞信息

2868
Apple Mac OS X Insecure Default DHCP Packet Handling

- 漏洞描述

Apple OS X contains a flaw that may allow a malicious user to gain remote root access. The issue is triggered when the operating system is searching for DHCP servers on all network interfaces. It is possible that the flaw may allow total control of the operating system resulting in a loss of confidentiality, integrity, and availability.

- 时间线

2003-11-26 2003-10-09
2003-11-26 Unknow

- 解决方案

There are a variety of avenues to avoiding this vulnerability: Disable any network authorization services from obtaining settings from DHCP: - in Directory Access, select LDAPv3 in the Services tab, click "Configure...", uncheck "Use DHCP-supplied LDAP Server" - in Directory Access, select NetInfo in the Services tab, click "Configure...", uncheck "Attempt to connect using broadcast protocol" and "Attempt to connect using DHCP protocol" - in Directory Access, uncheck LDAPv3 and NetInfo in the Services tab, if you don't intend to use them Turning off DHCP on all interfaces on your affected Mac OS X machine can also keep you from being affected. For added security, be sure to disable any unused network ports: turn the AirPort card off or remove it, if it is not being used.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Apple MacOS X DHCP Response Root Compromise Vulnerability
Configuration Error 9110
Yes No
2003-11-26 12:00:00 2009-07-12 12:56:00
The disclosure of this issue has been credited to William Carrel.

- 受影响的程序版本

Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X 10.3.2
Apple Mac OS X 10.2.8
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2

- 漏洞讨论

It has been reported that Apple MacOS X may be prone to a vulnerability that may allow an attacker to gain root access to a vulnerable system via DHCP responses.

It has been reported that systems running MacOS X attempt to negotiate DHCP on all available interfaces. If a network is not found, and that system is implementing the use of wireless connectivity, then that system will attempt to connect to any network in order to obtain an address. The system will also attempt to connect to an LDAP or NetInfo server on the network by using DHCP provided fields. The vulnerable host is reported to implicitly trust the server for correct information. It has also been reported that an attacker may set up a malicious server and thereby be able to login to a vulnerable system using any login name and a user id (uid) of 0 in response to DHCP lease requests.

- 漏洞利用

Proof of concept guidelines are available from the following web site:
http://www.carrel.org/dhcp-vuln.html

- 解决方案

Apple has released advisories to fix this issue in Apple Jaguar for Mac OS X 10.2.8 and Mac OS X Server 10.2.8 and Panther for Mac OS X 10.3.2 and Mac OS X Server 10.3.2. Please see referenced advisories for more details about obtaining fixes.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站